Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.
The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.
The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.
Windows Sysinternals is a part of the Microsoft TechNet website which offers technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment. Originally, the Sysinternals website (formerly known as ntinternals) was created in 1996 and was operated by the company Winternals Software LP, which was located in Austin, Texas. It was started by software developers Bryce Cogswell and Mark Russinovich. Microsoft acquired Winternals and its assets on July 18, 2006.
The website featured several freeware tools to administer and monitor computers running Microsoft Windows. The software can now be found at Microsoft. The company also sold data recovery utilities and professional editions of their freeware tools.
Winternals Software LP was founded by Bryce Cogswell and Mark Russinovich, who sparked the 2005 Sony BMG CD copy protection scandal in an October 2005 posting to the Sysinternals blog.
On July 18, 2006, Microsoft Corporation acquired the company and its assets. Russinovich explained that Sysinternals will remain active until Microsoft agrees on a method of distributing the tools provided there. However, NT Locksmith, a Windows password recovery utility, was immediately removed. Currently, the Sysinternals website is moved to the Windows Sysinternals website and is a part of Microsoft TechNet.
In late 2010, Bryce Cogswell retired from Sysinternals.
Source code and technology
Most of the utilities that were developed were usually accompanied with the source code written in C, C++, or assembly language. The code was compatible with Visual C++ v. 6.0 and could be compiled with little effort by a Windows developer. Some of the more interesting utilities did not come with source code, or a lesser version would be available with the source. In later releases, there were 64-bit versions of the utilities and even Linux versions as well. However, since the Microsoft acquisition, none of the utilities currently available is accompanied with source code, and the Linux versions are no longer maintained or available.
Some of the coding tricks used were based on the Windows Native API (NTAPI), which was (and still is) mostly undocumented by Microsoft. Using these coding examples - with source - would enable developers to create extraordinary programs that performed operations that would otherwise have been impossible using a standard API. Examples include hiding Registry information, intercepting or hooking APIs to monitor file operations by the OS, as well as Registry operations.
Windows Sysinternals supplies users with numerous free utilities, most of which are being actively developed by Mark Russinovich and Bryce Cogswell, such as Process Explorer, an advanced version of Windows Task Manager, Autoruns, allegedly the most advanced manager of startup applications, RootkitRevealer, a rootkit detection utility, Contig, PageDefrag and a total of 65 other utilities. NTFSDOS, which allowed NTFS volumes to be read by Microsoft's MS-DOS operating system, is now discontinued and is no longer available for download.
Previously available for download was the Winternals Administrator Pack which contained ERD Commander 2005, Remote Recover 3.0, NTFSDOS Professional 5.0, Crash Analyzer Wizard, FileRestore 1.0, Filemon Enterprise Edition 2.0, Regmon Enterprise Edition 2.0, AD Explorer Insight for Active Directory 2.0, and TCP Tools.
On May 18, 2010 Sysinternals released its first new utility since its acquisition by Microsoft. Named RAMMap, it is a diagnostic utility similar to the memory tab of Windows Resource monitor, but more advanced. RAMMap runs only on Windows Vista and later.
Licensing issue with Best Buy
In April 2006, Geek Squad, a tech support company working in cooperation with Best Buy, was accused of using unlicensed versions of the ERD Commander software. Winternals supplied Best Buy with copies of its software so that Best Buy could evaluate the software while conducting contract negotiations for using it on a permanent basis. When contract talks broke down Best Buy did not notify its Geek Squad Agents to stop using the software and discard all copies. A judge granted a restraining order on April 14, requiring that use of all unlicensed software be stopped, and forcing Best Buy to turn over all copies of Winternals software within 20 days. After settlement, a version of the Winternals software was released to be used by Geek Squad.
Process Explorer/Process Monitor (procmon) v16.05
Part of Sysinternals by Microsoft Corporation